I'm afraid that the best way to do that would be to change the way you are storing these events. If the reasonPhrase and requestUri are related to the same event then they should be in the same document in elasticsearch.

Elasticsearch isn't relational, so joining on something like sessionID isn't going to work out of the box. I'm pretty sure that there are some tricks you can use to do it, but Kibana doesn't support it out of the box so I don't recommend it.

Reviving an old thread, but I stumbled across this while looking for something else and I had a thought. What if, using the Visualize app, you do a terms agg on the sessionID field along with the query you have here? Any bucket with a doc count of 2 should be a culprit. If there's a potential for multiple "Internal Server Error" or "URL" documents for a given ID over time, you could also add a date histogram agg with a fairly small interval to hopefully narrow it down to one error per bucket (I'm assuming the url doc and the error doc will have matching timestamps, or at least be within milliseconds of each other, whereas separate errors are probably minutes, hours, or days apart).